Month: December 2020

18. Didier Cossin on why governance is the key driver of organizational performance

Didier Cossin is the founder and director of IMD Global Board Center based in Switzerland, where he works with owners, boards, and senior leaders to maximize organizational performance using strategy, best-in-class decision-making and enhancing board culture and governance best practices. In this episode he talks about creating a high performance board thru enhancing board culture, fostering constructive dissent and focusing on governance best practices.

Thanks for listening!

We love our listeners! Drop us a line or give us guest suggestions here.

Links

High Performance Boards – Amazon Link to Didier’s Book

Didier Cossin’s Bio

Didier Cossin’s LinkedIn Page

Quotes

Governance has been the key driver of performance in the markets and for organizations and the way I define governance, which I think is all encompassing, is the art of decision-making at the top of organizations.

Constructive dissent is pivotal in the high functioning board. Dialectic is the meeting of well-informed great minds that through a dialogue, builds up towards a better decision and thus constructive dissent. Yes, dissent, having a different view, but in a constructive way for the organization, bringing the decision to a higher level and whatever we do in governance, it’s about fostering that constructive dissent towards decisions.

When a board is looking for a new member, what should it be looking for to determine that this new member will fit into this structure that it, that he or she will add to the constructive dissent, will add not just to the diversity of opinion, but will be – and I’ll use the term “cultural fit” – with the board.

I like the way you asked your question, because is it the cultural fit or is it enough of a cultural tension? My observation is that competency has less impact on decisions than personality.  Real diversity is going to be painful and you’ve got to figure out the level of pain that somehow is acceptable to drive effective governance. So the dialogue has to remain, but you need enough tension in that dialogue somehow.

I’m a strong believer in meritocracy. We do not have enough meritocracy in boardrooms. And we have many boards that get comfortable with board member, And somehow it’s not very well socially accepted to remove board members.

Is it possible that you have a high performing board, but the company’s not performing well or vice versa?

It’s very hard for me to see a well-organized and highly performing board in an underperforming organization. I haven’t seen that.

Risk work is essential to good board work

Big Ideas/Thoughts

What makes a great board?

Several items. Skills and competencies, dedication from the board members, the level of caring for the organization, the level of passion, the level of commitment because we are human beings and part of our human quality is that level of commitment.

The second one is what do people pay attention to? Do you have a board that focuses on what matters to the organization?

And diversity, but in a deep way: diversity of perspectives, which of course is fostered by gender diversity and by ethnic diversity and by culture diversity, but truly should lead to a diversity of perspectives in order to foster that constructive dissent that is at the heart at the very heart of the governance principle.

I was quoted in a famous financial newspaper for saying that 90% of boards are failing. I think it’s improving a bit because people have more awareness now and in general I see better boards. But the state of health of boards is still not great, but it is improving.  When I say failing, I mean they are not fulfilling their fiduciary responsibility to the organization.

Transcript

[00:00:00]Joe: [00:00:00]  Hello and welcome to On Board: A deep look at driving business success. Hi, I’m Joe Ayoub and I’m here with my co-host Raza Shaikh. On Boards is about boards of directors and advisors and all aspects of board governance. Twice a month, this is the place to learn about one of the most critically important aspects of any company or organization: its board of directors or advisors.

Raza: [00:00:32] Joe and I speak with a wide range of guests and talk about what makes great boards great or makes a board unsuccessful. What it takes to be a valuable member and how to make your board one of the most valuable assets of your company.

Joe: [00:00:51] Our guest today is Didier Cossin, the founder and director of IMD Global Board Center based in Switzerland, where he works with [00:01:00] owners, boards, and senior leaders to enhance organizational performance using strategy, best-in-class decision-making and enhancing board culture and governance best practices. Among other clients, he has worked with sovereign wealth funds, central banks, supernational organizations, financial institutions, and funds throughout Europe, Asia, the Americas, Africa, and the Middle East.

Raza: [00:01:33] Professor Cossin is the author of several books, including his most recent, which is “High Performance Boards: Improving and Energizing your Governance”. It is a comprehensive manual for attaining best-in-class governance.

Joe: [00:01:49] Welcome Didier. It’s great to have you as our guest today

Didier: [00:01:52] Hey, it’s a real pleasure to be with you.

Joe: [00:01:54] And you’re joining from Switzerland so we appreciate you staying up for this and being with [00:02:00] us at this hour. Maybe skipping dinner or making dinner later today.

 I know that you believe that governance is a big driver of performance as do both Raza and I, so let’s look at that and  I’ll pose two questions. The first is what is governance? And the second is how do you measure performance?

Didier: [00:02:20] Yeah. Fantastic. yeah, so, very true. Joe. Governance has been the key driver of performance in the markets and for organizations and the way I define governance, which I think is all encompassing, is the art of decision-making at the top of organizations. And this is truly what the board, in the sense of strategy decision, or picking the CEO or, or, you know, looking at the risks, it’s really, you know, this art of making the right decisions.

And when I look at [00:03:00] performance, of course, there is a, you know, is a classical view, right? Looking at financial performance, financial markets, stock price, and here, since the beginning of the year, the 20% better governed of the S&P 500 have added 17% today, 17% of performance to the S&P 500. And so you can see immediately the alpha, as we say, the performance such driven there, but I work with very different types of organizations as well. I work with the Red Cross, I work with UNICEF, or I work with central banks where clearly, you know, the performance is not the same thing and it pertains to what I would call organizational health and the ability of the organization to fulfill its mission and governance throughout our system is the key driver of performance [00:04:00] in that sense as well.

Joe: [00:04:01] So, that’s a pretty significant alpha for those companies that are publicly traded. That is a significant difference if it’s driven primarily or even exclusively by good governance. I mean, that is  it’s pretty significant. What are the things that you look at that determine what a great board is? What are the attributes you would identify in trying to determine which companies have those boards and where we would expect that better performance.

Didier: [00:04:30] And you see in my view of governance and so on the, I should tell you our listeners, right? Most of my work is being in a one-on-one situation with a board.  I’m like a board doctor, right. I’m coming with a board and, I’m looking at where there is pain, whereas is health and how to foster that health further.

From that angle,  I’m not going to define governance like the financial guys do by number of independent [00:05:00] directors, size of the board CEO-Chair separation, gender diversity of this kind of mechanics. These mechanics are driven by what drives fundamentally governance and maybe we could start with values. A sense of accountability and responsibility of the individuals involved, the long term view, right? Thinking about the next generation, the agility, but all of these become quickly too complex to observe, to foster and so I’ve come to my own process of clinically looking at governance. When I work with the board, how can I assess in 10, 15 minutes? Right? What works well, what doesn’t work well, and I use a model which I described in extenso in the book you’ve mentioned before. Four pillars of governance house, which I found is, [00:06:00] quite systematic across culture, works well in the United States. I’ve used it quite a bit in the US, but it does work in Singapore. It even works for state-owned organizations in China. So I tell you, it goes all ranges.

Joe: [00:06:17] Cuts across all cultures. So, what about the people, obviously in putting together the culture that you’re describing, it, there must be things you’re looking for, or you would advise your clients to look for when it’s thinking about board composition. It’s not just skills, it’s not just experience there, there are other attributes that you must be obviously weighing pretty heavily. What are they?

Didier: [00:06:46] Yeah. So, I mean, at first you’re right. We still need to have the skills and the competencies. Right. We should not discount that, because from time to time, you see boards without the competencies and that’s of course basket cases. Right? So first, you know, [00:07:00] the basics, so the, the skills and the skill mapping.

Joe: [00:07:03] Yeah. It’s a given, right.

Didier: [00:07:04] That’s right. That’s right. But then I figured out there are three other dimensions that I pay a lot of attention to.

One is simply the dedication from the board members. You know,  the level of caring for the organization, the level of passion, the level of commitment because we are human beings and part of our human quality is that level of commitment. The second one is what do people pay attention to? I see great boards that somehow are being drifted into looking only at the past, for example, only looking at regulatory issues. So I call it focused. Do you have a board that focuses on what matters to the organization? And the third is really  diversity, but  in a deep way, diversity of [00:08:00] perspectives, which of course is fostered by gender diversity and by ethnic diversity and by culture diversity, but truly should lead to a diversity of perspectives in order to foster that constructive dissent that is at the heart at the very heart of the governance principle.

Joe: [00:08:25] Talk to us a little bit about constructive dissent. I know that you think that that is pivotal in the high functioning board.

Didier: [00:08:33] Yeah. You see when t when you’re you’re tackling the most complex decisions in life – it can be a larger acquisition. It can be, simply, you know, an employee policy, when you’re tackling these decisions that have real impact, there are three ways to access the truth. One is, one individual that [00:09:00] knows it, right. and goes through rhetoric to express it. This is rare and arguably does not happen anymore with the complexity of the world. You know, technology complexity, social complexity, that we are living with these days. The second way to access the truth is scientific. Having a proof, right, which, in most business cases, even in acquisitions does not happen, right. Because you may have your discounted cash flow . But it’s still war to make, you know, the culture of the combined entity.  So you’re, you’re also stuck there.

And so we are left with the third one, right? Which is dialectic. Dialectic is the meeting of great minds of well-informed great minds that through a dialogue, build up towards a better decision and thus [00:10:00] constructive dissent. Yes, dissent, having a different view, but in a constructive way for the organization, bringing the decision to a higher level and whatever we do in governance, it’s about fostering that constructive dissent towards decisions.

Joe: [00:10:18] So When a board is looking for a new member, what should it be looking for to determine that this new member will fit into this structure that it, that he or she will add to the constructive dissent, will add not just to the diversity of opinion, but will be a, and I’ll use the term “cultural fit” with the board.

Didier: [00:10:42] Yeah, it’s very a great way to ask this question, right? Because typically we start from the skills and we start our, we need to tech guy, right. Or we need a finance guy. Right. And we start from the competencies and I tell you, my observation is that competency has less [00:11:00] impact on decisions than personality, huh? You take a, you take a conservative tech guy, right. And that tech guy will not drive innovation. You get to nothing to experience type of finance guy and he may actually, or she may actually lead towards innovation even in tech. And so personality of the board members I even do now mapping, I use a tool called Neo, the big five personality traits, plenty of psychometrics alternatives. I like Neo because it’s scientific, it’s not a consultant type of thing, but, you know, and the best Chairs do that naturally, right? Because they understand the personalities even better than whatever psychometric is going to give to you. Right. They figure out and I like the way you asked your question, because is it the cultural fit or is it enough of a cultural [00:12:00] tension? That you actually create a new culture that’s a bit more open than a bit wider, right? Hence the role of true diversity because true diversity is painful. You know, whoever say he or she is comfortable with diversity. Right. It’s misreading it. That’s not true. Diversity. Right? Go and talk to a Taliban in Afghanistan and you won’t be comfortable, right. That’s basically all right. That’s real diversity, but maybe you don’t want that one on the board. Right? You have to pick your diversity, but you see what I’m saying? Real diversity is going to be painful and you’ve got to figure out the level of pain that somehow it’s acceptable to drive an effective governance with it. So the dialogue has to remain, right, but you need enough tension in that dialogue somehow.

Joe: [00:12:53] How often should boards be off-boarding and finding new board members to add to the dynamic [00:13:00] of the group?

Didier: [00:13:00] Yeah, it’s an intriguing question as well. First I’m a strong believer in meritocracy. We do not have enough meritocracy in boardrooms. And we have many boards that get comfortable with a board members that get comfortable. And somehow it’s not very well socially accepted to remove board members. I was discussing that with a Chair of a $250 Billion pharma company was telling me that he has figured out, his most important for is to be able to let board members go elegantly, right. To find the way right. For them to go.

Joe: [00:13:46] That’s not easy.

Didier: [00:13:48] It’s not easy. I have a chair, a smart man who’s at the beginning has announced that one board member would leave every year. And that’s, you know, eight board [00:14:00] members. It’s still a tenure of eight years. Right. But Hey, it’s based on meritocracy, but we know one of us leaves every year and that’s a renewal.

Fundamentally. Right? Fundamentally, we need renewal. We need renewal because the world is transforming, right? Because the new generations are seeing the world differently as well. and, and gender diversity has been a way to perform renewal, a bit of age diversity as well.  And then how you figure it out, depends a bit on the social system your organization is in, but yes, constant renewal is a good thing, you need, of course, a bit of stability, you, you need the historical knowledge of the organization as well. Right? to be fair, I have an organization, an international organization where board members had maximum tenure of two years and that’s terrible as well.

Joe: [00:14:56] Oh, thats crazy.

Didier: [00:14:56] Uh, in the corp… it is crazy, [00:15:00] buthtwo years, and this was that was very unhealthy. But in the corporate world, we tend to hang on for too long. I even had a lady that the chair of one of the largest Swedish companies, Swedish lady, who has decided that if after five years, she’s not made a difference, it means that she won’t make a difference and she leaves. And typically she doesn’t stay on her boards more than six years. And she says six years is plenty of time. If you haven’t made the change in five years, right. It’s not in the next five years.

Joe: [00:15:33] Yeah. Not many people will do that. That’s

Didier: [00:15:36] That’s right. That’s right.

Raza: [00:15:37] Didier to our original question of tying companies performances to board’s performance. would that be true that, always an effective board means an effective performance or higher performance of the company. Is it possible that you have a high performing board, but the company’s not performing well or vice versa?

[00:16:00] Didier: [00:16:01] It’s hard for me to envision. I can certainly see a company for which the purpose is not to maximize financial performance, where a service to customer, I think of a Wikipedia or something like that, right. A service to customer. And that, that I can envision. I can also envision a board that would be disrupted by owners and I’ve seen that case. So high quality board, but the shareholders are in fights and are disrupting, but it still creates a board that doesn’t work that well. Right. Because of that disruption. It’s very hard for me to see a well organized and highly performing board in an underperforming organization. I I’m, I haven’t seen that. But then the definition of performance may of course vary across organizations.

Raza: [00:16:57] Didier, you have seen a [00:17:00] lot of boards. What is your assessment of the general state of global health of governance across the world? Is the world of getting better at running boards? And then,  what have you seen in comparison with US boards and the rest of the world and non US boards? What have been the differences in practices and what is the state of our affairs for governance across the globe?

Didier: [00:17:28] I was quoted for saying in a famous  financial newspaper that 90% of boards are failing. I think it’s improving a bit because people have more awareness now and I see in general better boards, but you know, the state of health, it’s still not great. And I would say if I’m looking at board improvement as a generational thing, which I think it is, governance has become the [00:18:00] foremost topic these days, but it’s the 25 years type of progress.

I would say we’re about midway. So we’ve improved our practices a lot in many areas, contribution to strategy, stakeholder engagement, shareholder, engagement. and, and so, performance reviews, even board evaluations, I think we are starting to be quite serious there, so it’s a bit late, right. But people are, you know, the well-minded people know how to play the game better and better. And I think that’s what matters, right? Those that want to achieve have the tools to achieve. I’m a rather a meritocratic type of person. Right. I think if it’s a boards that are willing can do a good job, right. We’re home free. And I think we’re getting there. I think we’re getting there.

Raza: [00:18:53] All right. So we, we have hope and we are improving in general.

Didier: [00:18:57] The USA used to [00:19:00] be the lighthouse, right. It used to be, you know what the world would follow.  And then you’ve had several events and I’m not talking about a current or last administration. It’s much longer term than that. Hey, it’s a seminal events that have occurred that primacy of all the shareholder above or, the, the, the social difficulties I would say is that, the world has seen,  and the rise of private markets with, what I would call the exclusion of, for a good part of what should be well-governed from, from the transparency and the views of the world.

And so these different trends have needed that competing systems, not substitute. So that competing systems have come at right. The, what I would call the Scandinavian stakeholders system, [00:20:00] with, you know, often employees on boards and, under, rather I wouldn’t call it socialist, but closer to socialism, perspective is advantages and disadvantages. I’ve seen very effective governance promoted by large soverign wealth funds that are very directive with strong views.

I’ve seen the Singaporean model, where people are aligned to culture and not constraints, but culture and somehow can still foster good governance.  As long as you own these values that are there. And so I’ve seen, I’ve seen alternative to tell you, the reality I’m working with a Pan-African company, an African company that has excellent governance where, you know, the whistle blowers are there on there, and they’re moving the game. And, I’m seeing, some European companies [00:21:00] that are transforming at speed. and we’re still taking lessons from the U S. Because, you know, the US is still, you know, that, that fantastic carrier of innovation, et cetera, right. Governance. And how do you think tech governance? And so, what I find is that the world has just grown richer and the large cap US model is not the model anymore. And, it’s how do we think what’s right for organization? Whether it’s a family business, a private equity business, a publicly traded business, even a state owned business what’s right for us. And how do we emulate the best?

Joe: [00:21:41] Excellent. Yeah. You know, I want to go back to something you said, though, you were quoted as saying that 90% of all boards are failing. Is that an accurate quote?

Didier: [00:21:52] Yeah. You know, it’s not scientific. Right. But it came from my practice and I have to tell you, I don’t see healthy boards. Let’s be very clear. [00:22:00] Right.

Joe: [00:22:00] But overwhelming majority of overwhelming majority are failing?

Didier: [00:22:05] Yeah, yes. At least five years ago. And I would say now it is a majority by far. Maybe it’s more 70%, but it is a majority. Maybe I have high standards, but…

Joe: [00:22:18] That’s okay. That’s

Didier: [00:22:19] good…

But when I say failing, I mean, In my view, they are not fulfilling their fiduciary responsibility to the organization. So the organization may still be resilient. Right. But in my view, they are not fulfilling their fiduciary responsibility and it may be because of their own choice. That the worst case, it may be because of limitations. They don’t have the courage to address, which is, I would say more common. And then I also have to say, we have [00:23:00] integrity failures in the world, and we have transfers of wealth in all countries. Right. And that’s also a reality, where people get comfortable, they know what’s going on, they’re aware of it and they don’t want to be bothered. And so all, all these cases cumulated still make to me. the majority of boards, unfortunately,

Raza: [00:23:26] I would also say that in some ways, because the longevity of organizations, the average age that they now die off has been coming lower and lower is also an indication of that governance failure.

Didier: [00:23:42] Right. As long as this is so true. Right. And, but to me, it’s, this is healthy, no systems. This is of course a wealth of the capitalistic system, right? It’s a natural selection process and this is what I love. Right. It’s organic. It works. And it’s [00:24:00] not capitalism as an ideology, right. It’s a system of natural selection where, you know, the strongest, the health iestl, will do well and will organize themselves to do well. And that’s a good sign of natural selection of on governance, which, which exists and is there. And the US is of course doing that perfectly well with the different systems and by the way, diversity in all the structures shows the quality of system governance, private equity in competition with publicly traded, traded, widely held publicly traded with a family anchor with privately held by a family with, you know, agencies, even with nonprofits, right. That whole organic system works great.

Joe: [00:24:53] What are the issues that lead to board failure? The primary issue, the primary issues.

Didier: [00:24:58] So first, you know, [00:25:00] I’ve had my four areas of failures where I see where boards killed their organization. And the first one is technical risks. Right. And, you’d think for example, of a BP with a Macondo Field explosion. Who has the board didn’t even have on their risk map, that specific risk or think Boeing, right? That’s also a technical risk issue.

The second one is a strategy and strategy involvement. Classic is, you know, digital photography and Kodak. Of course, the third which I pay a lot of attention to and very sensitive and people don’t think enough about that is the quality of the relationship between the executives and the non-executives – is this a trusted relationship, right? Is there a free flow of information? is that psychological safety? In that relationship and the fourth are simply integrity issues because I see, I see major corruption, [00:26:00] conflict of interest, and more than what people admit. Right. And, and sometimes it’s soft, right? It’s soft conflict of interest, but it’s still there. And somehow that disturbs the role of the board in a very fundamental way. And so for me, these are the four key drivers, but then in today’s world, you have all, you know, all the elements to, to integrate in that, right? The technological transformation, the shareholding activism, and you know, all, all the different drivers that are engaging the extraordinary dynamics that we have in today’s world.

Joe: [00:26:38] It sounds like a lot of that comes down to the failure to identify and manage risk.

Didier: [00:26:46] Yeah. I tend to agree with you. I tend to agree with you, but risk in a deep way. Right, and, and typically by the way, a good risk practice to me just dealing with the [00:27:00] larger organization on that, and I don’t think they’re doing a good job on risk and they have fantastic risk processes and they have a very elaborated ERM and they do all their risk maps, they’re subsidiary, et cetera. Right.

But the good board work on risk is for the board itself. To elaborate its own view of risk as differentiated from management, right? Because again, we are back to dialectic, right? You need to have all these different views and different angles. And so, you know, the, the CEO is not going to put himself as a risk on the risk map. But if you, as a board, think your CEO is a risk, you need to be able to integrate that right. Or culture as a risk.  And typically you need, you need that perspective on the board.

So I would say is that risk work is essential to good board work. Now, Joe, I’m a little careful because maybe a lot of people [00:28:00] see risk as a process. Right. And they just follow the process and then think they have completed their risk duties. And objectively if that’s what we’re thinking about risk, then no, the board work goes much beyond that. Right. But if you’re thinking risk in a deep way, I fully agree with

Raza: [00:28:18] you.

I love the quote from, one of the venture capitalists that says failure comes from failure to imagine failure.

Didier: [00:28:25] Very good. Yeah, I like that. That’s a good one. Yeah.

Raza: [00:28:27] Didier. I want to talk about your most recent book, “High Performance Boards”, a practical guide that is envisioned for improving and energizing your governance. What was your goal for writing that book? Who’s your intended audience? How is it intended to be used?  Tell us about your book.

Didier: [00:28:45] Well, you know, I have 20 years of practice helping boards, get better, right. Improve themselves. And, and so I’ve developed so many tools, so many exercises, so many ways to improve so many ways to [00:29:00] think about where you need to improve that I thought, it would be nice to have that. And I didn’t see a book that did that. And so I decided why don’t I compile everything I’ve done here for boards, make it, you know, a bit consistent and rational so that people have a bit of a guide.

If they are join a board or is they are on the board on how to help that board improve or to help themselves improve as board members, and, and very fundamental to that, and you hear it and I think we’re all in agreement here, is governance is a fundamental driver, not on your organizational health. But of social well-being for the future. It is, you know, it is the best gift that you can do to an organization to dedicate yourself to the governance quality of that organization. Whatever is the purpose of the organization and all [00:30:00] purposes valid in my view. So it’s really commercial, non-commercial all of that adds to the world.  And fulfilling it with integrity with the right quality is, is what I’m trying to foster. And I believe, you know, I have a few tricks of the trade let’s say, right that help actually, get there faster for those people that are motivated.

Raza: [00:30:24] I see a very, rich tool set that’s, available to, as you said, like even to an individual board member or a board on the whole. Or consultants and advisors to boards who help, make boards, more effective. I think it’s a, it’s a wonderful compilation of, your distilled knowledge across many different areas.

Joe: [00:30:47] Do you spend time training board members?

Didier: [00:30:50] Yeah, quite a bit . Training is not quite the right word, right? I prefer educating because I don’t do training. For example, I wouldn’t do a [00:31:00] training on, on risk techniques or a training on fraud detection. But, I tend to try and elevate them. Right. Educate them around the key should sometimes very, very senior individuals.  And I do one-on-ones with chairs of large organizations and the, and I do find, and by the way, I get educated at the same time. Right. It’s it goes both ways. It goes both ways. I find, you know, I think I’m a true educator at heart. I, I discovered that in the US actually in Boston, Cambridge, and, and to me, this is, you know, it’s so beautiful, right.

To figure out how to be better. Right. And, and somehow we all have that capacity and organizations have that capacity. And so I’d like to foster that, and I do that one-on-one with board members.

Joe: [00:31:54] That is a terrific thing to, to be, striving for that’s for sure. [00:32:00]

Raza: [00:32:00] Didier, we have a bunch of rapid fire questions for you. What have been the two best boards in your board career and why?

Didier: [00:32:09] Nestor in Finland, the oil and gas company decided to move into biofuel managers that transformation multiplied its market cap by a factor of five while the oil wells of majors divided theirs by a factor of three. And, I think that’s a transformation I want to see. And then, I would say one, Italian organization I work with, and has completely transformed the game and I have to be discreet about it, but, I’m really glad about that. That’s a good force for the world.

Raza: [00:32:42] Wonderful.

Joe: [00:32:43] What board practice do you recommend that most boards should follow?

Didier: [00:32:47] Well I think constructive dissent, right? The dialogue and ensuring the dialogue. I think whenever you think you see someone not participating, whenever you see that, you know, somehow it’s not [00:33:00] free flowing that there are groups that are forming, you know, you’re losing it. Right. So pay attention when you lose it. Awareness of constructive dissent.

Raza: [00:33:09] Well said. Number one rule you would implement for conducting board meetings if you served as a board chair?

Didier: [00:33:17] Equal participation and, the, continuous board evaluation. Awareness for performance. Right? How good are we? Huh? Awareness,awareness with equal participation.

Joe: [00:33:32] Boy, I couldn’t agree more on both of those points. Favorite book or books that you’ve read in the last year? Anything in particular?

Didier: [00:33:41] Ah, yeah, I just, read, Rene Girard, Stanford professor on, you know, sociology, anthropology on mimetism. It made me think a lot about group think and how we, we need to preserve even the individuality of organizations. You [00:34:00] know, we are all here to talk about what are the best boards, but truly the best board is the one you’ll invent. Right. And how you’re going to create it and how we are all individuals, organizations that have their own personality and truly it’s figuring out what’s right for your organization.

Raza: [00:34:19] And Didier, lastly, non-profit cause or mission that matters the most to you?

Didier: [00:34:25] So I help in my governance work for free. It’s my donation, the Red Cross, which, tries to alleviate, you know, the horrors of Wars, and also UNICEF that takes care of children around the world, but… but where I care the most somehow, for some reason, close to my heart, I suppose, is nature. And I so, I, you know, I help Conservancy, organizations, but I also give money to a Nature Conservancy. So I’m close to nature.

Joe: [00:34:58] It’s been great [00:35:00] speaking with you today. Thanks for joining us. I hope you and your family are well and will continue to be well and stay safe.

Didier: [00:35:07] Thank you so much for the great pleasure.

Joe: [00:35:10] And thank you all for listening today, to On Boards with our special guests, Didier Cossin, please stay safe and take care of yourselves, your families, and your communities as best you can Raza you take here. I hope you and your family continue to be well, and you’re staying safe also.

Raza: [00:35:27] Yes, Joe, we’re all staying safe. Thank you. And I hope the same for you and your family as well.

Joe: [00:35:32] Thanks. Take care.

17. James Lam on the new world of risk management and oversight for companies and boards

James Lam is a globally recognized risk expert, an early advocate of Enterprise Risk Management and the first-ever Chief Risk Officer.  He has served as a director and chair of the risk oversight and audit committees of both publicly and private companies. James was a commissioner for the NACD Blue Ribbon Commission on board oversight of disruptive risk.  In this episode he shares his most current thinking on the evolving state of risk management and the challenges and opportunities ahead.. 

Thanks for listening!

We love our listeners! Drop us a line or give us guest suggestions here.

Links

https://en.wikipedia.org/wiki/James_Lam

https://jameslam.com

NACD Cover Story: Animal Kingdom of Disruptive Risks

NACD Directorship: The View of ERM from E*Trade’s Risk Chair

Quotes

I think taking a proactive approach to risk management is one of the key responsibilities for the CRO. So, think about yourself in the first line of defense. You’re running a business. You’re running the IT function. You’re really focused on the day-to-day, and you might be responding to risk incidents or minor crises, but a Chief Risk Officer is much more forward-looking, much more proactive, looking at things outside in, looking at things much more long term….the Chief Risk Officer really provides the expertise, the time, the attention and focus on the most critical things that are going to drive performance in the future. So being proactive, being forward looking at key trends outside in, are really important things.

I think it is important that the board provides input in terms of the kind of risk management reporting that they want to see, the kind of metrics, and also guidance on the risk appetite statement and the integration between risk and strategy.

The Risk Committee and the Audit Committee wear different hats. They have very different scopes and mandates. The Audit Committee is paid to think inside the box: SEC requirements, financial disclosure, Sarbanes Oxley, FASB, etc. You don’t want to be creative in your accounting. You really want to make sure you’re in compliance of all the laws, regulations and standards.

Whereas the risk committee is paid to think outside the box. What are the uncertainties, what are the external drivers that could impact our earnings, our cash flows, our value? How do we expect the unexpected? How do we think around corners? So, you’re really paid to think outside the box, and I think that is a very compelling way of contrasting the scope and mandate of the Audit versus the Risk Committee.

Big Ideas/Thoughts

Even companies with risk committees might say appropriately that strategic risk, and reputational risk ought to be a full board agenda item. There are different ways of doing it, but I think the most important thing is to make sure that the risk agenda is well represented in terms of board and committee time.

What are the things that we should look at in determining whether, and to what extent, a board bears the responsibility for the catastrophic problem that might derail a company?

I think your listeners could benefit from looking at the Blue Bell Ice Cream case (Blue Bell case commentary) and the Clovis Oncology case (Clovis case commentary), both of which I think have really elevated the standards for duties of care and duties of loyalty in terms of risk management and compliance, and that it is important for the Board of Directors in exercising those two standards to make sure that there is a risk management and compliance system in place, and that system is working effectively and that the board is getting the right metrics, the right reporting and red flags in terms of risks, and that they hold management accountable.

Chief Risk Officer

The Chief Risk Officer is really tasked with making sure that there’s a robust and effective ERM program, that risk management policies, risk assessment and analytics, risk management strategies, and executive and board reporting are appropriate.

I would say the CRO is responsible to help the board and senior management to imagine the unimaginable. To expect the unexpected and be able to prepare for any scenario.  I worked with one Board of Directors and the company had a very strong ERM program.  In 2018, the board approved a pandemic management plan. Last year they stress test that plan and then when the pandemic hit early this year, they had a playbook.  The playbook didn’t anticipate everything, but it had a curve with different stages of a pandemic, it had social distancing, PPE, you know, working remotely and so forth. We probably had 70 to 80% of the eventualities and that really helped the company be prepared for this scenario. I would say that company probably wouldn’t have this plan in place if they hadn’t already addressed some of their core risks in their ERM program.

A lot of companies get stuck in risk identification, So the way many companies do risk assessments and heat maps, they generally get people in the room, they say, what are the risks facing the company?  They might come up with 20, 30 different risks and they would assess the probability one to five and then severity one to five and they’ll multiply the two scores to get an overall risk rating.

I believe this approach is fundamentally flawed.  Let me give you a very specific example. What’s the probability and severity of a Cyber Security attack that’s happening to the company right now? Your firewall and your controls are able to protect against it. Probability is high. One to five, it has to be at five it’s happening. Hundreds and thousands of times. What’s the severity? It’s low. The lowest you can be. It’s a one. So, five times one is a five. What’s the probability and severity of a major data breach. The probability is low. It’s a one. Severity is high. It’s a five, one times five, it’s five. So, you end up with the same score for two very different situations.  The math behind probability times severity gives you expected loss, but your risk is not driven by expected loss, it’s driven by stress loss or unexpected loss.

In determining how to assess risk, I like to start with the key strategic, business, and operational objectives of the company. What’s your strategy? What are the KPIs – Key Performance Indicators – that would indicate whether you’re achieving that strategy? Then you say, what are the risks that could drive variability in those KPIs. What are the key risk indicators and risk tolerances for those risks?  So, start with the business objectives of the company and let that drive your risk assessment and quantification.

Transcript

Joe: [00:00:00]  Hello and welcome to On Boards – a deep look at driving business success. I’m Joe Ayoub and I’m here with my co-host Raza Shaikh. On Boards is about Boards of Directors and Advisors and all aspects of board governance. Twice a month, this is the place to learn about one of the most critically important aspects of any company or organization, its Board of Directors or Advisors.

Raza: [00:00:32] Joe and I speak with a wide range of guests and we talk about what makes great boards great, what makes a board unsuccessful, what it takes to be a valuable member, and how to make your board one of the most valuable assets of your company.

Joe: [00:00:50] Our guest today is James Lam. James is a globally recognized risk expert, an early advocate of Enterprise Risk Management, and the [00:01:00] first ever company Chief Risk Officer. He is the President of James Lam and Associates; a highly regarded risk management consulting firm. He has served as the director of both public and private companies and served as commissioner for the National Association of Corporate Directors, Blue Ribbon Commission on Board Oversight of Disruptive Risks.

Raza: [00:01:24] His bestselling books on Enterprise Risk Management have been translated into many languages and have been adopted by top college degree and professional certification programs. James has been published and quoted in over 200 articles, including the Wall Street Journal, Harvard Business Review, The Economist, NACD Directorship, Forbes, Financial Times, and CFO Magazine.

Joe: [00:01:50] Welcome James. It’s great to have you today as our guest on On Boards.

James: [00:01:54] Thank you. It’s great to be here with you, Joe and Raza.

[00:02:00] Joe: [00:01:59] So James, you are one of the most widely-recognized risk experts in the world, and as I mentioned in my introduction, the first ever Chief Risk Officer for a company. How did assessment and management of risk become your professional passion?

James: [00:02:16] Well, if I go back to the beginning, I got my undergraduate degree in finance, and so I was always very interested in financial management and statistics. Risk management is my passion and I’m very fortunate to find a career where I could practice something that I truly believe in; something that leverage off my finance degree and learnings so that’s quite good, and I’ve had the opportunity to practice risk management in three different ways.

 One as a practitioner working inside a company, two, as a consultant [00:03:00] working with different companies and different industries and different stages of risk management and thirdly, as a director, providing risk governance and oversight, in terms of risk management and leadership.

Joe: [00:03:16]  Can you talk a little about what you do for the companies with which you work, to help improve the effectiveness of their Enterprise Risk Management programs.

James: [00:03:27] So I’ve worked with over 75 ERM or Enterprise Risk Management engagements, different companies, different industries, and typically, I would go into a company and assess their current risk management processes and then come up with a set of recommendations in terms of how they could enhance those processes. But what’s really important is to understand: What are their [00:04:00] business needs? What’s the size, complexity, business model and strategy for the company? So you could customize the Enterprise Risk Management program for their needs, and one thing that’s distinguished about what I do, given that I’ve been a practitioner when I do work with companies, I help them with implementation. You know the classic joke where the consultants tell you what to do, but they don’t help you do it? Well, I try to overcome that. So I do help my clients with implementation. I have templates, examples, case studies, so they could implement much more efficiently.

Joe: [00:04:41] Do you typically work with management, with the board, with both? How does that interaction take place?

James: [00:04:47] Yeah, usually both, and what I found to be a critical success factor is the commitment and engagement of the CEO. So if I could have one thing in each [00:05:00] engagement and I could tell you of the engagements that were highly successful, there’s a hundred percent correlation to how engaged and committed the CEO is, and then having board involvement, board input, I think is critical. If there’s a Chief Risk Officer, having a capable Chief Risk Officer and the alignment with other senior executives, I think all of those are critical things. So it’s not about getting the data model or even the analytics; it’s really about getting management buy-in and shaping the culture of the company.

Joe: [00:05:40] So I’ve always been intrigued by the fact that you were the very first Chief Risk Officer for a company. How did that come about and what did that role mean exactly?

James: [00:05:52] Well, this was in 1993. I joined GE Capital Market Services and I [00:06:00] had the responsibility for the middle and back office. So in the middle office, I had market risk and credit risk and back in ’93, there was no such thing as Operational Risk Management – it was just Operations. So, one day I walked in to my boss’s office, the President of the company. I said, ‘Hey, Rick I’m ordering some business cards. What’s my title?’ And he goes ‘Well, I didn’t come up with one for you. Why don’t you come up with one that fits your responsibilities?’ And at that point, the title of CIO – Chief Information Officer, was becoming very popular of having a senior level executive, a C-suite executive that’s going to integrate your mainframe, your client server, your PC and internet technologies, in support of the company’s strategy. And so why not risk? Why not have a C-level [00:07:00] executive, that’s going to integrate financial risk, operational risk and strategic risks and elevate it to a C-level agenda item, and so I thought, well, Chief Risk Officer sounds pretty good to me.

Joe: [00:07:14] That is good. So you kinda just made it up, put it on your card and it was born right there and then.

James: [00:07:21] Yeah. And over time, now I think there are thousands and thousands of Chief Risk Officers across many industries in the world, and I think it’s a good movement. I think companies have benefited from that role.

Joe: [00:07:37] So in the past, companies have had people called Chief Security Officers, or they’ve had Chief Information Security Officers. What is it that brings a company to kind of adopt the idea of having a Chief Risk Officer? What gets them there and what is the advantage that that brings to a company?

[00:08:00] James: [00:08:00] Yeah. So for most companies, the role of the Chief Risk Officer or Chief Compliance Officer is considered the second line of defense. Right? So the first line of defense are the business units, the operational units, so your business leaders, your CIO and your CTO are considered your first line of defense. They own the risk.

The Chief Risk Officer is the second line of defense. They provide policy, they provide oversight and best practices in support of the CEO and the executive team.To oversee risk management within the whole company, and the third line of defense, I would say is the Board of Directors with the support of the internal audit function.

Joe: [00:08:51] So, you’re posing it as a line of defense, but I’ve read some of your articles, and I really got the impression [00:09:00] that it’s more almost of a proactive position that a Chief Risk Officer is taking, rather than when you think of a line of defense, you almost think of a defensive position. So is it fair to say that a Chief Risk Officer and we’ll talk a bit also about a Risk Committee, makes it more proactive in addressing risk and thinking about risk. Is that a fair way to look at it?

James: [00:09:23] That’s exactly right, Joe. I think taking a proactive approach to risk management is one of the key responsibilities for the COO. So, think about yourself in the first line of defense. You’re running a business. You’re running the IT function. You’re really focused on the day-to-day, and you might be responding to risk incidents or minor crises, but a Chief Risk Officer is much more forward-looking, much more proactive, looking at things outside in, looking at things much more long [00:10:00] term. Defining policy, defining risk appetite, thinking about risk in a much broader context and how it may impact the company. These are not things that you would expect from the first line of defense, and it’s probably not something that executive management team spends a lot of its energy and time on, so having that role of a Chief Risk Officer really provides the expertise, the time, the attention and focus on the most critical things that’s going to drive performance in the future. So being proactive, being forward, looking at key trends outside in, are really important things.

Joe: [00:10:47] So in kind of following that, I know that you’ve recommended that the companies have Risk Committees on their boards and a number of companies have in fact adopted that practice, but many have [00:11:00] not. Why do you recommend a separate Risk Committee? Why can’t, for example, the audit committee, which typically is tasked with that function, why can’t they handle it, and doesn’t it to some degree depend on the level of risk that a company faces? So maybe a company that sells groceries, has a different kind of risk than a high-tech company, for example.

James: [00:11:25] I think the business models, complexity are important factors. But let me talk about why a company should at least consider setting up a Risk Committee from two dimensions. One is in terms of scope and mandate, and the other is just in terms of function. So in terms of scope and mandate, I’ll relate to you a conversation that I had with a board member, from a large energy firm. So I want to give credit to where it’s due, and she was a member of the Risk Committee [00:12:00] and the Audit Committee and that company was considering combining two, and she was a strong advocate of keeping both the risk and audit committee. And she said to me, ‘James, the risk committee and the audit committee wear different hats. We have very different scope in mandates. The Audit Committee is paid to think inside the box. Your SEC requirements, your financial disclosure, Sarbanes Oxley, FASB, et cetera. You don’t want to be creative in your accounting.

Joe: [00:12:40] Right.

James: [00:12:40] You really want to check the box, make sure you’re in compliance of all these laws, regulations and standards, whereas the risk committee is paid to think outside the box. What are the uncertainties, what are the external drivers that could impact [00:13:00] our earnings, our cash flows, our value? How do we expect the unexpected? How do we think around corners? So you’re really paid to think outside the box’, and I thought that was a very compelling way of contrasting the scope and mandate of the audit versus the risk committee, and I’ve chaired both. I’ve chaired a risk committee for E*Trade, I chaired an audit committee for RiskLens, and I would say the functioning of those two committees are very different. You look at the agenda items, you look at the reporting and you look at the oversight and decision making. They’re very distinct. Now, I’m not going to say that every company needs a risk committee. If you’re going to have it as part of the audit committee, you just have to make sure you have the right directors, the right skills, and that you spend enough time in that committee [00:14:00] on risk management issues, or it could be a part of the full board. Even companies with risk committees might say appropriately that strategic risk, and reputational risk ought to be a full board agenda item. So there are different ways of doing it, but I think the most important thing is to make sure that the risk agenda is well represented in terms of board and committee time.

Joe: [00:14:29] So, if you were populating a risk committee versus an audit committee, what are the skills and expertise you’d be looking for on the risk committee that might be different from the folks you would be appointing to the audit committee?

James: [00:14:45] Yeah. So for for the audit committee, you want financial experts, right? People come from a CFO auditing regulatory type of background, right? [00:15:00] For risk committee, you want risk experts. You want Cybersecurity professionals. You want business people who could translate risk in terms of strategy and operations, you know operational people would be very good. So I think the skill sets are very different, because the work is different.

Joe: [00:15:23] Okay.

James: [00:15:23] There’s some overlap, right? So I think it’s important for example, that the audit committee sits on the risk committee, and the audit chair sits on the risk committee and the risk chair sits on the audit committee when you have those two committees.

Joe: [00:15:40] That makes a lot of sense.

When you serve as a board member, what role have you typically filled and how have you worked with management in that role?

James: [00:15:52] Yeah. So I think we’ve all heard of the principle of “nose in and fingers out.”

Joe: [00:15:59] Right. [00:16:00] Yep.

James: [00:16:00] And I respect that principle. I also think that there’s a middle ground. So if a company is in a situation where they really need to up their game in risk management, and if there’s a director who has no deep risk management or Cybersecurity expertise, I think the middle ground with the providing a guiding hand. So it’s not ‘nose in and fingers out’, but you could provide some guidance in terms of your expectations and your standards.

So I think it is important that the board provides some input in terms of the kind of reporting that they want to see, the kind of metrics, that they provide input and guidance on the risk appetite statement and the integration between risk and strategy, and I’ve also found at a [00:17:00] practical level that having informal working groups, management and board members, could be very helpful. So you’re sitting outside of a formal board meeting, bause during a board meeting, if you provide critique or guidance, management might take it as being defensive, in terms of you criticizing the work that they’ve done, but if you do it in an informal working group, then you could bounce around ideas, brainstorming, draft things, and do it in a very constructive and non-threatening manner.

Joe: [00:17:38] Yeah, that’s a great idea. That really makes a lot of sense to me, especially with something like risk where it seems like you really need a more open conversation than you might in some other areas. So let me ask you this. So when something really bad happens at the corporate level, from whether it was Enron to [00:18:00] WeWork to Wirecard, the question is asked, “where was the board?” Why did this happen on their watch?

What are the things that we should look at in determining whether, and to what extent, a board bears the responsibility for the catastrophic problem that might derail a company?

James: [00:18:22] Yeah, I think boards need to go back to the basics in terms of fiduciary responsibilities, in our duties of care, duties of loyalty, but put that in the context of risk management and oversight. Besides the corporate scandals that you’ve just mentioned, I think your listeners could benefit from looking at the Blue Bell Ice Cream case and the Clovis Oncology cases, both of which I think have really [00:19:00] elevated the standards for duties of care and duties of loyalty in terms of risk management and compliance, and that it is important for the Board of Directors in exercising those two standards to make sure that there is a risk management and compliance system in place, and that system is working effectively and that the board is getting the right metrics, the reporting and red flags, in terms of risks and that they hold management accountable. So for anyboard, I think those are standards that we need to consider and make sure that we fulfill those, duties of care and loyalty.

Joe: [00:19:52] That’s great. That’s helpful.

Raza: [00:19:53] James. You know, you alluded to multiple levels of [00:20:00] managing risk or looking at risk. Some people would argue that at the end of the day, the CEO of the company is really the real Chief Risk Officer. How does the Chief Risk Officer in a company have a real impact if the risk that they are tasked at managing blow up? This is like asking is risk management job even real without skin in the game.

James: [00:20:26] Yeah, I think that’s a great question. In terms of the CEO, You could always argue the CEO is also ultimately the CFO, the CMO, and ‘C’ anything else – because ultimately that person is responsible for the performance of the company, and the reason why the CEO needs a C-suite of specialists is really to support him in managing the company, operating the company, executing against the [00:21:00] strategy.

I think the Chief Risk Officer is really tasked with making sure that there’s a robust and effective ERM program that the policies and the risk assessment analytics, the risk management strategies, the reporting are appropriate. If the CEO wants to do that, great! It should be explicit that the CEO is also the Chief Risk Officer. It should be explicit, not implicit. For example, if you look at Steve Jobs at Apple, he was the CEO, but you would argue he was also the Chief Product Officer, because that’s his expertise. So if you have a CEO, that’s also very risk-skilled, then that would be fine, but I don’t think you find that in too many organizations.

Raza: [00:21:56] We’ve heard about use of heat maps [00:22:00] and other quantification methods that look at risk at a glance. Can you give us an overview of what risk quantification solutions have evolved and how companies like RiskLens provide such tools? Are they suitable for boards or mostly for management?

James: [00:22:19] Yeah. Thank you for asking that. So I’m on the board of RiskLens and RiskLens is a Cyber Risk quantification company, and I chair our audit committee. But beyond Cyber Risk, if you go back to financial risks, so market risk in the nineties was a real challenge believe it or not, but if you go back, people will say ‘oh, it’s really hard to measure value, whereas it’s hard to measure mortgage prepayment and getting a lot of data and models together. We solved that, right? We do market risk monitoring real time, [00:23:00] 24/7 now, and then it was credit risk. Oh, it’s really hard to aggregate all of our lending and counterparty exposures across an organization. Well we solved that. Then it was Operational Risk, now Cyber. So if you go back to the nineties, even eighties, the past 30 plus years, we had challenges in risk quantification measurement, but we’ve overcome that, and I think we will overcome that with Cyber and any other types of risks. We manage what we measure and for us to get to good risk management, I think we need to get to good risk quantification. Many companies I see use risk assessments that are qualitative and heat maps that lays out these risk types in terms of probability range and the severity [00:24:00] range. And the directors and senior executives I talk to, don’t find these processes or reports useful or actionable.

Raza: [00:24:13] It may become white noise.

James: [00:24:16] It is, and I think a lot of companies get stuck in risk identification, as opposed to true risk assessments and reporting. I’ll give you an example of that.

So the way companies do risk assessments and heat maps, they generally get people in the room. They say, what are the risks facing the company?  They might come up with 20, 30 different risks and they would assess the probability one to five and then severity one to five and they’ll multiply the two scores to get an overall risk rating, [00:25:00] and let me tell you that I think we all strive in our business life and also our personal life, in terms of achieving some simplicity. Simplicity -it’s a great thing, but I would also distinguish something that’s simplistic and superficial versus something that’s really robust and analytical that you simplify. So I love simplification. I don’t love simplicity. I don’t love things that are superficial, and going back to that one to five rating,

Raza: [00:25:39] Yeah.

James: [00:25:40] I’ll give you a very specific example. What’s the probability and severity of a Cyber Security attack that’s happening to the company right now? Your firewall and your protections are able to protect it. Probability’s high. One to five, it [00:26:00] has to be at five it’s happening.

Raza: [00:26:01] Yeah.

James: [00:26:02] Hundreds and thousands of times. What’s the severity? It’s low. The lowest you can be. It’s a one. So five times one is a five. What’s the probability and severity of a major data breach, but probability is low. It’s a one. Severity is high. It’s a five, one times five, it’s five. So you end up with the same score for two very different…

Raza: [00:26:30] I think my example would be averages. So you may have heard, would you ever cross a river that’s told to be four feet deep on the average?  Like the average loses a lot of information in the guise of simplicity, but oversimplification and just doesn’t remain useful. So if somebody said the river is on the average [00:27:00] four feet deep, would you cross it?

James: [00:27:02] Yeah. And that’s exactly right. And the math behind probability times severity gives you your expected loss.

Raza: [00:27:11] Yes.

James: [00:27:13] Your risk is not driven by expected loss. It’s driven by stress loss or unexpected loss.

Joe: [00:27:21] Right. Great.

Raza: [00:27:22] Reversing that, the broader question James would be like, so what is a better or best practice way that management should be reporting risk to boards? What is a good way of seeing it? What is a good way of talking about it, from a reporting perspective to the board?

James: [00:27:42] Well, you’ll be surprised, and my clients are surprised with my answer to that, and that is don’t start with the risk. So a lot of times companies say, they start with, what are our risks?

Raza: [00:27:56] What are our risks.

James: [00:27:57] Yeah. That’s the first question, and I like to [00:28:00] start with the key strategic business and operational objectives of the company, so start with your strategy. What’s your strategy? What are the KPIs – Key Performance Indicators – that would indicate whether you’re achieving that strategy? Then you say, what are the risks I could drive variability in those KPIs. And then you could say, what are the key risk indicators and risk tolerances for those risks? All right. So in terms of metrics and KOIs and risk appetite, but don’t start with the risks. Start with the business objectives of the company and let that drive your risk assessment and quantification, and also what are the most important outcomes for the company in terms of earnings, market value, cash flows, [00:29:00] and even for non-profit organizations and government entities, what’s our mandate, how do we measure the achievement of that mandate in terms of metrics, and start with that, and design the risk management program and reporting around those…

Raza: [00:29:18] James, you talk about the risk zoo I’ll call. Tell us about black swans, white elephants, and gray rhinos.

James: [00:29:27] Well, this is some of the work that I did with the NACD in the 2018 Blue Ribbon Commission report on what oversight of disruptive risk. So one of the recommendations of that Blue Ribbon Commission Report is that you should make sure robust ERM program’s in place, in terms of your strategic, financial, operational, regulatory, reputational risk. And once you have that [00:30:00] core foundation, then you really need to think about doing scenario analysis, and think about these disruptive risks, things like AI, Cyber Security, climate change, pandemics, and I group them into three animal categories. It was the black swans and gray rhinos – two books written by other authors that I think very highly of – and black swans are improbable, but very severe events like September 11th, like the invention of the internet. Gray rhinos, or macro events that are charging at you, that you really see coming, like artificial intelligence. Now it’s like changing a lot of things and changing the world [00:31:00] in the business that we see, but Artificial Intelligence was invented in the 1990s, just North of here in Dartmouth, right? Where computer scientists taught computers how to play chess better than the average human, and now it’s becoming much more important. I would also say climate change, Cyber Security, are also gray rhinos, and white elephants is like the combination of a risk event and the elephant in the room. Things that, it’s here, right. It could be a dysfunctional CEO. It could be a money-losing business that a senior business executive is really invested in. We can’t get out of it. It could be an adverse culture of the company that we [00:32:00] all know is here. We should do something about it, that we don’t talk about it, and we try to avoid the topic. All of these disruptive risks, black swans, gray rhinos, and white elephants could have a severe impact on an organization, but for various reasons, cognitive biases, loyalties, emotional issues, we have a hard time dealing with them, and so the BRC report and my article really says that in addition to the risk that we traditionally look at, if you look at the world we live in today in 2020, it’s just an amazing example of that. We need to think about disruptive trends in this as well.

Joe: [00:32:47] So if a company had a Chief Risk Officer, that person would be charged with making sure the company and the board was looking at black swans and facing the white [00:33:00] elephant in the room, ect. I mean, that would be a compelling argument for “why have a Chief Risk Officer.”

James: [00:33:06] Yeah. And I would say, that person is responsible to help the board and senior management to imagine the unimaginable. To expect the unexpected and be able to prepare for any scenario. I think being prepared is really important. So I worked with one Board of Directors and the company had a very strong ERM program. And two years ago, the board approved a pandemic management plan. In 2018, the board approved a pandemic management plan. Last year they stress test that plan, and then when the pandemic hit early this year, they had a playbook. The playbook didn’t anticipate everything, but it had a [00:34:00] curve and it had different stages, it had social distancing, PPE. You know, working remotely and so forth. We probably had 70 to 80% of the eventualities and that really helped the company be prepared for this scenario. But I would also say that company probably wouldn’t have this plan in place if they didn’t already address some of their core risks in their ERM program.

Joe: [00:34:27] Great example. Thank you.

Raza: [00:34:28] James, so to use Donald Rumsfeld’s analogy of the unknown unknowns. Some of these things, as you mentioned, like imagine the unimaginable, what is the best way for boards or whoever is tasked at the board for, governing on risk, what are some of the best things and best ways for the boards to deal with that?

James: [00:34:56] Yeah. The key challenge to black swans or [00:35:00] unknown unknowns is you can’t predict it. So some people would argue that the pandemic was a gray rhino cause we’ve had pandemics before, we will have them in the future, but it’s really hard to predict when it’s going to happen, how severe it’s going to be. And there are going to be unknown unknowns that we would face in the future. What I think is really important for any company to have, is a system and the feedback loop that they could identify and isolate unexpected variance in performance. So when there are things happening in the company or in its marketplace that is driving unexpected performance variance, where there’s earnings and stock price value, you pick it up and you pick it up really quickly and say, okay, are there things happening without customers or [00:36:00] technologies, and markets that we were not aware of? And if you pick it up more quickly, then you could see the black swans coming, while they’re still gray swans. So things don’t happen all at once. These things happen over time. And so I think having those kind of early warning indicators, and be able to have those feedback loops are very important.

Joe: [00:36:28] That’s great. James, your book, Enterprise Risk Management from Incentives to Controls, came out in the early 2000s and then was fully revised and published in 2015. What had you observed and learned since the book was first published and the 2015 edition, and what have you learned since then that would [00:37:00] colour the advice that you would give to a company?

James: [00:37:04] Yeah. So I just want to say that my latest book came out in 2017 and it was about implementation. So the first book and the second edition was on: What are the best practices in risk management? What are some of the industry requirements? The second book or the most recent book in 2017 is on implementation, and it’s really on how. How do you implement, how do you create value? But even since those two books, I I’ve learned, especially with the pandemic that, health and safety is going to be a critical element of everyone’s risk management program,   going forward. I’ve learned that, we really need to be much more forward looking, in looking at macro trends. [00:38:00] It was a McKinsey study that shows 70% of board time and reporting is backward looking. And since that time I participated in the Blue Ribbon Commission panel and reinforced my belief that you need to have a robust ERM program that goes beyond risk assessments and heat maps, and you need to leverage that to look at some of the disruptive risks that we face, but I think ultimately this pandemic and the economic crisis that we’re going through, it really puts risk management in the front burner in terms of management and board attention, and I look forward to the lessons learned and the ways we need to, adjust our risk management programs, going forward.

Joe: [00:38:56] Great. James. It’s been great speaking with you today. [00:39:00] Thanks for joining us. I hope you and your family will continue to be well and stay safe.

James: [00:39:05] Thank you. Same to you, Joe. And thank you, Raza. It’s been a pleasure speaking with you.

Joe: [00:39:12] And thank you all for listening today, to On Boards with our special guest James Lam. Please take care of yourselves, your families, and your communities, as best you can. Raza you take care. I hope you and your family continue to be well and are staying safe.

Raza: [00:39:28] Yes, Joe, we’re staying safe and well. Hope same for your family as well.

Joe: [00:39:33] Thanks so much.

James: [00:39:34] All the best.

© 2022 On Boards Podcast. All Rights Reserved.